[VIDEO] Azure Managed App Deployment

Cloud Connector is a virtual appliance within Microsoft Azure used to forward cloud workload traffic to the Zero Trust Exchange. It can be deployed within an Azure environment using both Terraform and, as a more native option, Azure Marketplace. The Azure Marketplace makes it easy to deploy Cloud Connector in a new or existing environment with just a few clicks. Simply browse to the Azure Marketplace and run the Zscaler Cloud Connector Application. The guided workflow then walks the user through Resource Group, Load Balancer, VNet, and Subnet creation, where necessary, before installing the appliances. A Managed Identity and KeyVault are required, however, before running the Marketplace App, so ensure these prerequisites are met prior to beginning.

In this video, we’ll explore:
[0:00 to 0:38] Pre-requisites and overview of the Azure Marketplace App
[0:38 to 2:32] Deploying Cloud Connector using the Azure Marketplace
[2:32 to 3:05] Key takeaways


Hello, my name is Aaron and I’m one of the Principal Technical Product Specialists for Zscaler Cloud Workload Protection.
In this video, we’ll explore how Zscaler Cloud Connector can be provisioned within Microsoft Azure using the Marketplace Application. Before you get started, make sure to check out the Azure Pre-Requisites video and Terraform Overview video linked in the description as there are some items that need to be understood and set up prior to running this application.

For customers seeking a more native automation option for deploying Cloud Connector, Zscaler offers Azure Resource Manager Templates through the Marketplace. The Azure Marketplace makes it easy to deploy Cloud Connector in a new or existing environment with just a few clicks.

From the Azure portal, navigate to the Marketplace and search for Zscaler Cloud Connector Application.

Click the create option to proceed with the deployment.

Select your Subscription and choose a Resource Group that will house the Cloud Connector components. Be aware, however, that the Resource Group MUST be empty. Alternatively, you may create a new Resource Group in this workflow.

Select your Region and click the Next button to proceed.

Enter your Provisioning URL… select your SSH Keys, and identify the Key Vault you wish to leverage for Cloud Connector authentication.

In the User Assigned Managed Identity section, select the Managed Identity you pre-created that has Get and List access to the Key Vault as well as Read access to the appliance’s interfaces. Again, if you’re unsure about how this Managed Identity should be configured, please check out the Azure Pre-requisites video linked in the description.

Click the Next button to proceed.

Here, choose whether or not to create and configure a Load Balancer, or select an existing one. For the purposes of this demo, we’ll create a new one. For redundancy purposes, we’ll update the workflow to create 2 Cloud Connector appliances using HTTP probe port 50000 for health checks. This port identifies a heartbeat service that the appliance uses to report its current health to the Azure Standard Load Balancer.

Next, choose whether you wish to leverage Availability Sets or Availability Zones for physical or geographical redundancy. For this demonstration, we’ll choose Availability Zones to provide physical data center fault isolation. Clicking the Next button then allows us to select the Availability Zones we wish to use.

Here, we’ll select Availability Zones 1 and 2.

We’re now given the option to either select an existing VNet or create a new one. Depending on the architecture of your Azure cloud environment, choose the correct option. Each Cloud Connector will require its own unique subnet. Choose whether to create a new one or use an existing Subnet from the dropdown list.

Click the Next button to proceed. If you have any tags you wish to assign to these resources, add them here. Click the Next button to proceed.

In this final screen, review the changes that will be made and click the Create button.

The creation process will take approximately 5 to 7 minutes. Once complete, you can verify the workflow’s changes by reviewing your All Resources output.

– The Azure Managed App can easily deploy Cloud Connector appliances and, optionally, a Load Balancer, VNets, Subnets, Route Table, and NAT Gateway

– It requires an empty Resource Group to deploy to but can leverage some of your existing Azure resources, so it can lend itself to both Brownfield and Greenfield integration.

– Ensure you have met pre-requisites in Azure prior to running the ARM Marketplace Application so that the workflow will deploy to a successful state.